hi,
I've looked a bit at the admin password feature => bug reports.
Even if you won't have time to fix all this, please make sure
everything is written in a place it won't be forgotten.
1. The /var/lib/gdm3/tails.password file must not be created in a
world-readable manner.
2. The password is written to this file without any kind of quoting,
then the file is interpreted by a shell. Seems obvious some kind of
passwords won't work, doesn't it?
3. set-user-password-and-locale error handling makes me doubtful.
It seems to me such code is hiding fatal error conditions under the
carpet:
. /etc/live/config.d/username || exit 0
if [ -z "${LIVE_USERNAME}" ] ; then
exit 0
fi
How about echo'ing something to STDERR at least?
4. /etc/sudoers.d/ directory seems not enabled yet, but I think it
should be unconditionally enabled at image build time by a
chroot_local-hooks, rather than at logon time.
5. namespace
I see those files are deleted when no admin password was entered:
rm -f /etc/polkit-1/localauthority.conf.d/52-tails.conf
rm -f /etc/sudoers.d/tails.conf
I understand why such cleanup is useful, but it reveals
tails-greeter considers those files as its own files, it is the
only one to manage, i.e. it takes over generic file names. I think
s/tails.conf/tails-greeter.conf would be appropriate.
6. does not work twice-in-a-row
When LIVE_USERNAME's has had a password set once by tails-greeter,
then login, then logout, back at tails-greeter: tails-greeter does
not allow login, presumably because it does its autologin with
hardcoded password black magic tricks with the default / old /
obsolete password. This is a blocker. Using regular GDM autologin
functionality seems like the sane way to fix this. A
quick'n'dirty way to hide the underlying problem, and have things
working right now, is to reset the LIVE_USERNAME's password to the
default one, in set-user-password-and-locale, in if [ -z
"${TAILS_USER_PASSWORD}" ].
bye,
--
intrigeri <intrigeri@???>
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
| Who wants a world in which the guarantee that we shall not
| die of starvation would entail the risk of dying of boredom ?